Incident Response Journey in Cyber Security

1. Digital Forensics Incident
Readiness
Maximising the ability to gather relevant digital evidence while minimising cost and
disruption to normal operations.
Presented by Colm Gallagher MSc FCCI, CFCE, Forensics Director, CommSec
IRISSCON 2022

2. Colm Gallagher
Current Forensic Director at CommSec Communications and
Security (2020 - present)
Former Detective at Garda National Cyber Crime Bureau
(2007-2020)
Former Systems Administrator at Garda IT Division (1997-
2007)
Former Irish Representative on Europol CGNAT Expert Group
Rubbish at making PowerPoints look good (1987-Present)
www.linkedin.com/in/colm-gallagher/

3. Digital Forensics
use cases
• Criminal investigations
• Civil litigation
• Compliance
• Incident response
• HR investigations
• Data Breaches
• Insider threats

4. Digital Forensics
tools – a sprawling
array
• Digital Forensics suites
• Specific-use tools (e.g. Shellbag examination tools)
• Mobile Forensic tools
• Blockchain analysis tools
• Incident response triage tools
• Remote acquisition tools
• Log analysis tools
• Search and visualisation tools
• Case Management tools
• OSINT tools
• Scripts
• Dual use tools – living off the land
An ever-growing array of tools designed to process an ever-growing
variety of information sources.

5. Digital Forensics
simplified workflow
INCIDENT!!!
Preserve &
Collect
Examination Analysis Reporting

6. Forensics issues –
Law Enforcement
• Larger datasets consume finite processing power
• Storage requirements
• Staff retention is an issue
• Under investment/Budgetary constraints
• Longer procurement processes
• Requirement to find best evidence
• Privacy legislation and regulations may hamper evidence
acquisition
• Lack of access to evidence
• Global evidence sources in various jurisdictions
• However, capability and methodologies largely already in
place – and incidents investigated are usually external (and
known of in advance)

7. Forensics issues –
Industry
• Large datasets
• Cloud usage is widespread
• Varying levels of control over evidence
sources
• Lack of evidence sources?
• Qualified personnel not always in-house
• eDiscovery needs
• Dual use devices (BYOD)
• Legal issues
• Incidents may arise suddenly

8. Forensics time sinks
• Identification of evidence sources
• Gaining access to evidence sources
• Obtaining a supply of storage
• Setting up and verifying required tools
• Allocation of roles
• Copying data/Forensic imaging
• Processing of gathered evidence
• Analysis of relevant evidence

9. Forensics
Readiness
ISO27002:2022
To ensure consistent and effective
management of evidence related to
information security incidents for the
purposes of disciplinary and legal actions,
the organization should establish and
implement procedures for the
identification, collection, acquisition and
preservation of evidence related to
information security events.

10. Forensics
Readiness
ISACA
The achievement of an appropriate level of
capability by an organization in order for it
to be able to collect, preserve, protect and
analyse digital evidence so that this
evidence can be effectively used in any
legal matters, in disciplinary matters, in an
employment tribunal or court of law.

11. Forensics
Readiness
UK Ministry of Justice
It is necessary, as part of incident
management, to have the ability to collect
and analyse data held on a variety of
electronic devices or storage media that
may be used as evidence in some future
investigation.
UK MoJ have published policies requiring
forensic readiness and planning.

12. Pre-investigation
questions
• Where’s our evidential data?
• Who has access to it?
• Are we discarding useful evidence sources?
• Where might the evidence be for given scenarios?
• What are our retention periods?
• How should we get at potential evidence?
• Who’s going to do it?
• Where will we put it?

13. Tasks you may not
want to leave until
your busiest time
• Identify evidence
• Prioritise evidence sources and their retention
times
• Allocate roles
• Gain access
• Establish roles and communication channels
• Identify and contact 3rd Party support
• Identify, obtain and verify required tools and
hardware
• Create document templates such as receipts,
chain of custody records, incident logs
• Create case file environment
• Obtain secure storage
• And so on…

14. Forensics Readiness
Planning – some
practical measures
• Information asset register
• Location of information
• Ownership of assets
• Retention times for information
• Importance of each asset to the organisation
• Are logs retained in relation to the asset?
• Incident response plan
• Include potential forensic actions
• How should we get at evidence
• Roles and responsibilities
• Establish communication channels
• Where will we store evidence?
• How long will should it typically take to extract evidence?
• What tools do we have available to us?
• What labelling conventions will we use?
• Document preparation
• Chain of custody templates
• Procedural documents
• Labelling
• Communication templates
• Prepared incident logs
• Report templates
• Incident Response exercising
• Gain familiarity with roles and processes
• Establish probable timescales
• Test communications
• Identify gaps
• Test efficacy of chosen tools

15. Digital Forensics
with Readiness
Readiness INCIDENT!!!
Preserve &
Collect
Examination Analysis Reporting

16. Forensics
Readiness benefits
• Quicker and more efficient response
• Quickly identify attack vectors
• Less likelihood of inadvertently damaging
evidence during early part of response
• Lower cost – maintaining evidence sources can
cost significantly less than trying to make up for
their absence
• Lower cost – IR costs can be enormous and
completing as much as possible removes that
cost during events
• Less disruption to normal business during
investigations
• Detect threats earlier
• Deter insider threats
• Demonstrate high standards for compliance

17. Thank you!
colm.gallagher@commsec.ie